Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

That works, but it seems really ugly to me, and I'm wondering if I'm missing some better way to do this. Ideally I'd also like to be able to find examples of Event-1 with no matching Event-3, but I think I can do that with transaction as well, using keepevicted=1.

Any suggestions for a better path to my desired results?

Edit:

Ok, maybe I boiled down my example too much. Here's the original data:

This is a Symantec NetBackup job completing. The key pieces of Event 1 are "End of Data=1" (There were lots of records before this with that value as 0), and the backupid. I'm extracting the backupid as a field.

This is Symantec scheduling the data in this backupid as part of a replication job between storage arrays. They may be multiple of these entries, for multiple backup objects all grouped together in one replication. The key elements I've identified are "ImageCopyExt_Record", the backupid (same as event 1) and the jobid (will match event 3). Other events exist with the search string and the backupid but without a jobid.

People who like this

It's not clear at all to me what your transaction is supposed to do. You have abstracted away everything and provided a single example, so I find it very difficult to understand your intention, i.e., what you want it to do. I can see what your search does do, but with no way to generalize, I can't come up with something better.

But I just tried it again and what I found was it found cases where event1 exist but no event2 or event3. (Either backups that aren't configured to replicate, or backups that are still replicating.) So I added to the end of that "| search completed" and it works. Somehow I didn't expect transaction to transaction on EITHER field, but on BOTH. Thanks!

Yes, transaction will be transitive on each field. If a field has a value, it won't link, but if it is null, then it will be allowed to link. This behavior I think is related to the connected=t option.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.